Parse Variable Patterns Using Regex

The Parse Regex operator (also called the extract operator) enables users comfortable with regular expression syntax to extract more complex data from log lines. Parse regex can be used, for example, to extract nested fields.

User added fields, such as extracted or parsed fields, can be named using alphanumeric characters as well as underscores ("_") and dashes ("-­"). They must start and end with an alphanumeric character.

The Sumo Logic query language actually requires that groups that are not captured to an alias must be marked explicitly as non-capturing groups.

So, you would actually write:

parse regex "list 101 (?:accepted|denied) (?<protocol>.*?) "

But if you mean to also capture whether it is an "accepted" or a "denied" into an alias, then you would include:

parse regex "list 101 (?<status>accepted|denied) (?<protocol>.*?) "

Parse multi

In addition to parsing a field value, the multi option (also called parse multi) allows you to parse multiple values within a single log message. This means that the multi keyword instructs the parse regex operator to not just look for the first value in a log message, but for all of the values, even in messages with a varying number of values. As a part of this process, the multi keyword creates copies of each message so that each individual value in a field can be counted.

For example, say our firewall log messages look like this:

M1 Firewall Rules: |967:925:123|

From this message, we'd like to extract the firewall codes. Use the multi keyword in the parse regex:

Recommended articles

Sumo Logic is the industry’s leading secure, cloud-native, machine data analytics service, delivering real-time, continuous intelligence across the entire application lifecycle and stack. More than 1,000 customers around the globe rely on Sumo Logic for the analytics and insights to build, run and secure their modern applications and cloud infrastructures.